Open source vulnerabilities increase almost 50 percent in 2019
Open source components are the building bricks of many of today's software applications, but this puts them under increased scrutiny with regard to security.
Open source management specialist WhiteSource has released a new report which shows that disclosed open source software vulnerabilities in 2019 skyrocketed to over 6000, up almost 50 percent.
The good news is that over 85 percent of open source vulnerabilities have already been disclosed and fixes are already available. However, Information about vulnerabilities is not published in one centralized location, rather scattered across hundreds of resources, and sometimes poorly indexed -- often making searching for specific data a challenge.
Based on WhiteSource's database, only 29 percent of all open source vulnerabilities reported outside of the NVD (Nartional Vulnerability Database) are eventually published in it.
In addition the researchers compared how the top seven coding languages stack up when it comes to reported open source vulnerabilities in 2019, and then compared those numbers to the past ten years.
C still has the highest percentage of vulnerabilities due to the high volume of code written in this language. PHP's relative number of vulnerabilities has risen significantly, while there’s no indication of the same rise in popularity. Python has a relatively low percentage of vulnerabilities, even though its popularity, especially in the open source community, continues to rise.
The report also considers whether the CVSS (Common Vulnerability Scoring System) score is the best measure on which to base remediation priorities. CVSS has been updated several times over the past few years in attempts to achieve a measurable, objective standard that helps support all organizations and industries. But in the process it has also changed the definition of what a high severity vulnerability is. This means a vulnerability that would have been rated as a 7.6 under CVSS v2 could be a 9.8 under CVSS v3.0, meaning teams are faced with a higher number of high and critical severity issues. Over 55 percent are now high-severity or critical.
The report's authors conclude:
The most important takeaway from this list is that just because popular open source projects have vulnerabilities, that doesn’t mean they are inherently insecure.
It only means that as a user of open source projects you need to be aware of the security risks and make sure to keep your open source dependencies up to date.
Open source components have become an integral part of our software projects. The open source vulnerabilities landscape might seem complex and challenging at first, but there are ways to gain visibility and control over the open source components that make up the products that we release.
You can find out more on the WhiteSource site.